Although Windows is a powerful operating system, some of its congenitality, leaving a lot of multi-multiply, and the famous BO program is to use Windows's vulnerabilities to harm the computer's security. The author recently discovered a very popular tool for acquiring the edit box password, and even its source code was published in a newspaper, which is undoubtedly a complete negation of the Password function of Edit. This article will first analyze the principles of PASSWORD first, and then give Visual C to implement the countermeasures that the Password in the Edit box is not illegally acquired. (1) Illegal Principles of PASSWORD EDIT are a standard control for Windows. When the Password property is set to TRUE, the input content is shielded as an asterisk (*), thereby achieving the purpose of protection. The content in the Edit box can be obtained by sending WM_GETTEXT, EM_GETLINE message. The hacker program uses the EDIT's feature, first enumerate all the sub-windows of the current program. When the window is found to be an Edit and have an es_password property, send WM_GETTEXT or EM_GETLINE messages to this window via SendMessage, in which the EDIT box is The content is at a glance. (2) Conservation of Password This analysis can be seen that the EDIT's vulnerability is that there is no identity that sends a WM_GETTEXT or EM_GETLINE message, as long as the EDIT window handle is found, any process can get its content. A simple method is given to verify that the identity of the sending message is legal. 1) create a new CEdit class inherits from CEdit subclass CPasswordEdit, declare global variables g_bAuthorIdentity indicate the identity of the message sender: BOOL g_bAuthorIdentity; then respond to the DefWindowProc CWnd virtual function, to authenticate the callback function: LRESULT CPasswordEdit :: DefWindowProc (Uint Message, WPARAM WPARAM, LPARAM LPARAM) {// The content acquisition of Edit must pass one of the following two messages ((Message == WM_GETTEXT) || (%) {// check if it is legal IF (! g_bautHorIdentity) {/ illegally acquired, display information AFXMessageBox (_t ("My password, can't let you see!")); // Return 0;} // Legal acquisition g_bauthoridentity = false;} return CEDIT :: DefWindowProc (Message, WPARAM, LPARAM);} 2) Doration in the Data Enter dialog box in the dialog box, declare a class member m_edtpassword: cpassword m_edtpassword; then add the following code in the dialog box: m_edtpassword. Subclassdlgitem (idc_edit_password, this); its purpose is to associate control with new classes.
